Cisco Cisco AnyConnect Secure Mobility Client v2.x Guida Alla Risoluzione Dei Problemi
AnyConnect over IKEv2 to ASA with AAA and
Certificate Authentication
Certificate Authentication
Document ID: 113692
Contributed by Atri Basu and Marcin Latosiewicz, Cisco TAC
Engineers.
Jun 23, 2014
Engineers.
Jun 23, 2014
Contents
Introduction
Prepare for the Connection
Certificates with Proper EKU
Configuration on the ASA
Crypto Map Configuration
IPsec Proposals
IKEv2 Policies
Client Services and Certificate
Enable AnyConnect Profile
Username, Group−Policy, and Tunnel−Group
AnyConnect Profile
Make the Connection
Verification on ASA
Known Caveats
Prepare for the Connection
Certificates with Proper EKU
Configuration on the ASA
Crypto Map Configuration
IPsec Proposals
IKEv2 Policies
Client Services and Certificate
Enable AnyConnect Profile
Username, Group−Policy, and Tunnel−Group
AnyConnect Profile
Make the Connection
Verification on ASA
Known Caveats
Introduction
This document describes how to connect a PC to a Cisco Adaptive Security Appliance (ASA) with the use of
AnyConnect IPsec (IKEv2) as well as certificate and Authentication, Authorization, and Accounting (AAA)
authentication.
AnyConnect IPsec (IKEv2) as well as certificate and Authentication, Authorization, and Accounting (AAA)
authentication.
Note: The example that is provided in this document describes only the relevant parts that are used in order to
obtain an IKEv2 connection between the ASA and AnyConnect. A full configuration example is not provided.
Network Address Translation (NAT) or access−list configuration is not described or required in this
document.
obtain an IKEv2 connection between the ASA and AnyConnect. A full configuration example is not provided.
Network Address Translation (NAT) or access−list configuration is not described or required in this
document.
Prepare for the Connection
This section describes the perparations that are required before you can connect your PC to the ASA.
Certificates with Proper EKU
It is important to note that even though it is not required for the ASA and AnyConnect combination, RFC
requires that certificates have Extended Key Usage (EKU):
requires that certificates have Extended Key Usage (EKU):
The certificate for the ASA must contain the server−auth EKU.
•
The certificate for the PC must contain the client−auth EKU.
•
Note: An IOS router with the recent software revision can place EKUs onto certificates.